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Introduction 


Important  to  understand  network  behavior  of  hosts 
Durations  active  and  idle  by  host  type 
Patterns  important  for  Situational  Awareness 
Baselining  to  detect  anomalies 
Decide  whether  a  host  should  be  in  the  inventory 


Software  Engineering  Institute 


Carnegie  Mellon 


3 


Objectives  of  the  Analysis 


Distributions  of  the  durations  of  active  and  idle  times 
Insights  into  different  behaviors 

Two  metrics: 

Probability  of  a  host  being  active  after  a  period  of  idleness 

Conditional  probability  of  a  host  becoming  active  within  a  time  horizon 
Given  it  has  been  idle  for  some  time 
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Methodology 


Flow  data  from  the  public  domain 
(http://tools.netsa.cert.org/silk/referencedata.html) 


SiLK  (CERT/SEI)  and  Unix  Tools 
Spreadsheets 


Focus  on  web  servers  initially 
Methodology  applicable  to  all  types  of  hosts 
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Analysis 


Time  series  of  network  flows  -  out  traffic 
Time  window  =  23  hours 
Time  scale  (bin  size)  =  1  hour 
Convert  volumes  to  a  0/1  series  (1  =>  active) 
Compute  the  durations  of  active  and  idle  times 
Plot  the  frequency  distributions 
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Durations  from  Flows  (Hypothetical) 


Flows  from 
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Results 


Distribution  of  active  durations 
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Distribution  of  idle  durations 
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Discussion 


Active  durations 

Very  compact  (low  variation  -  narrower  than  Poisson) 

Mean  =  1.8 

Weibull? 

Idle  durations 

Long  tail  or  two  populations 
Issues  with  estimating  the  metrics 
Censoring/Truncation  problems 


Future  Work 

Need  much  longer  time  series 

Need  to  estimate  the  metrics  with  more  data  sets 

Correct  for  biases 

Compare  across  different  host  types 

Effects  of  varying  the  time  scales,  time  windows  and  time  horizons 
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Questions/comments? 
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